Synopsis: iked.conf(5) needs clearer documentation about which configuration
payload options are supported when receiving configurations and their system
effects.
Description:
The documentation of configuration payloads in iked.conf(5) has two
issues:
1. Missing Implementation Details for Receiving Configuration:
- ikev2_pld_cp() only processes INTERNAL_IP4_ADDRESS and
INTERNAL_IP4_DNS
- However, ikev2_add_cp() shows code exists to send many more
options:
* INTERNAL_IP4_NETMASK
* INTERNAL_IP4_NBNS (NetBIOS/WINS)
* INTERNAL_IP4_DHCP
* INTERNAL_IP4_SERVER
- This creates an asymmetric implementation where iked can send
configurations it cannot process when received
2. Man Page Documentation Issues:
- No distinction made between sendable and receivable configurations
- System effects of supported configurations not documented
- No details about address configuration using host routes
- No description of DNS configuration via routing socket
- No mention of cleanup behavior
3. Real-world Impact:
- Users waste time configuring options that won't work
- Admins may not understand the network configuration effects
- Interoperability problems when peers send configurations that iked
ignores
- Log messages show iked receives but ignores valid configuration
data from peers
Fix:
Update man page to:
1. Split and clarify config vs request directives:
- Document which features only work when sending
- Document receive limitations
2. Document system effects of supported configurations:
- Explain host route address configuration
- Detail DNS configuration via routing socket
- Describe automatic cleanup behavior
Index: iked.conf.5
===================================================================
RCS file: /cvs/src/sbin/iked/iked.conf.5,v
diff -u -p -u -r1.98 iked.conf.5
--- iked.conf.5 13 Jul 2024 12:58:51 -0000 1.98
+++ iked.conf.5 4 Jan 2025 21:31:18 -0000
@@ -683,9 +683,9 @@ Use RSA public key authentication with S
.Pp
The default is to allow any signature authentication.
.Pp
+
.It Cm config Ar option address
-.It Cm request Ar option address
-Request or serve one or more optional configuration payloads (CP).
+Configure one or more configuration payloads (CP) to be sent to peers.
The configuration
.Ar option
can be one of the following with the expected address format:
@@ -716,6 +716,44 @@ included.
.It Ic access-server Ar address
The address of an internal remote access server.
.El
+.Pp
+.It Cm request Ar option address
+Request one or more configuration payloads (CP) from peers.
+Currently only the following options are supported when receiving
configuration:
+.Pp
+.Bl -tag -width Ds -compact -offset indent
+.It Ic address Ar address
+Request an IPv4 or IPv6 address on the internal network.
+Only the first received address will be used.
+When applied to an interface, addresses are configured as host routes
+(/32 for IPv4, /128 for IPv6) since netmasks are not negotiated
+in the IKEv2 configuration payload.
+.It Ic name-server Ar address
+Request the DNS server address (IPv4 or IPv6).
+Only the first received DNS server will be used.
+DNS configuration is applied system-wide via routing socket proposals
+which update the system resolver configuration.
+.El
+.Pp
+Other configuration requests may be sent but their values will be ignored if
received.
+Received configurations can be applied to an interface using the
+.Ic iface
+directive.
+When applied, the following changes occur:
+.Bl -dash -offset indent -compact
+.It
+Interface is configured with received address as a host route
+.It
+Routes are added for negotiated subnets using the virtual IP as gateway
+.It
+A direct route to the peer is established
+.It
+DNS configuration is applied via routing socket
+.El
+.Pp
+All configuration changes are automatically cleaned up when the SA is
terminated.
+The cleanup process removes configured addresses, routes, and DNS settings,
+restoring the original network configuration.
.Pp
.It Ic iface Ar interface
Enable automatic network configuration as initiator.
